<html>
<head><meta charset="utf-8"><title>clippy security lints · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html">clippy security lints</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="174677762"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/174677762" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#174677762">(Sep 01 2019 at 21:21)</a>:</h4>
<p>I've considered starting a markdown file with anti-patterns found via Safety Dance in its repo, but then realized we'll be writing requests for Clippy lints anyway, so might as well skip right to that. <br>
<a href="https://github.com/rust-lang/rust-clippy/issues/4483" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4483">https://github.com/rust-lang/rust-clippy/issues/4483</a><br>
<a href="https://github.com/rust-lang/rust-clippy/issues/4484" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4484">https://github.com/rust-lang/rust-clippy/issues/4484</a><br>
I'm just starting out, there's plenty more we can glean from the code that's been already fixed.</p>



<a name="174677958"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/174677958" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#174677958">(Sep 01 2019 at 21:29)</a>:</h4>
<p>sounds like a great idea</p>



<a name="174678688"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/174678688" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#174678688">(Sep 01 2019 at 21:56)</a>:</h4>
<p><a href="https://github.com/rust-lang/rust-clippy/issues/4485" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4485">https://github.com/rust-lang/rust-clippy/issues/4485</a></p>



<a name="175100168"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175100168" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175100168">(Sep 06 2019 at 20:21)</a>:</h4>
<p>Requested another lint: <a href="https://github.com/rust-lang/rust-clippy/issues/4515" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4515">https://github.com/rust-lang/rust-clippy/issues/4515</a><br>
Also I was surprised to find that Clippy already lints against transmuting references (suggests pointer casting instead) and then catches alignment issues with casts</p>



<a name="175102391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175102391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175102391">(Sep 06 2019 at 20:49)</a>:</h4>
<p>Aaaand discussion in one of those Clippy lints actually spawned an RFC: <a href="https://github.com/rust-lang/rfcs/pull/2756" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2756">https://github.com/rust-lang/rfcs/pull/2756</a></p>



<a name="175102418"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175102418" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175102418">(Sep 06 2019 at 20:49)</a>:</h4>
<p>By Alkosh, I love Rust community</p>



<a name="175114802"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175114802" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175114802">(Sep 07 2019 at 00:04)</a>:</h4>
<p>wow, awesome</p>



<a name="175136700"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175136700" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175136700">(Sep 07 2019 at 11:12)</a>:</h4>
<p>More lint requests: <a href="https://github.com/rust-lang/rust-clippy/issues/4520" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4520">https://github.com/rust-lang/rust-clippy/issues/4520</a><br>
I suppose I could use some upvotes on this one: <a href="https://github.com/rust-lang/rust-clippy/issues/4515" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4515">https://github.com/rust-lang/rust-clippy/issues/4515</a></p>



<a name="175136710"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/175136710" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#175136710">(Sep 07 2019 at 11:13)</a>:</h4>
<p>Oh hey, one requested lint is already implemented, just waiting on review: <a href="https://github.com/rust-lang/rust-clippy/pull/4511" target="_blank" title="https://github.com/rust-lang/rust-clippy/pull/4511">https://github.com/rust-lang/rust-clippy/pull/4511</a></p>



<a name="177642795"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/177642795" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#177642795">(Oct 08 2019 at 18:13)</a>:</h4>
<p>Clippy has just merged a lint to complain about unsound transmutes of owned collections: <a href="https://github.com/rust-lang/rust-clippy/issues/4515" target="_blank" title="https://github.com/rust-lang/rust-clippy/issues/4515">https://github.com/rust-lang/rust-clippy/issues/4515</a><br>
At this point all lints we've requested that lead to UB in practice and not just in theory are implemented. We need to request some more!</p>



<a name="177643597"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/177643597" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#177643597">(Oct 08 2019 at 18:21)</a>:</h4>
<p>nice</p>



<a name="177718764"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/177718764" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#177718764">(Oct 09 2019 at 14:27)</a>:</h4>
<p>that, or we need to start exploiting more UB in the compiler to move things from the "theory" to the "practice" side of this ;)</p>



<a name="183900837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/183900837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#183900837">(Dec 20 2019 at 01:00)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> should we file an issue for a more general security-oriented categorization of clippy lints?</p>



<a name="183924846"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clippy%20security%20lints/near/183924846" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clippy.20security.20lints.html#183924846">(Dec 20 2019 at 10:39)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> I'm not opposed to that in theory, but I do not see which lints would qualify as of yet. The "this is a security vulnerability" lints hugely overlap with "correctness" lints, and it's not like we have lints for SQL injection or some such.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>